Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13049

Encrypted stateless OAuth2 access tokens cannot be revoked

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0
    • Fix Version/s: 6.0.0
    • Component/s: None
    • Labels:
    • Target Version/s:
    • Needs backport:
      No
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When attempting to revoke an encrypted stateless OAuth2 access token, the server returns a 500 error, and the access token is not blacklisted. This does not affect tokens which are only signed.

      How to reproduce the issue

      Run the StatelessTokenRevocationEndpoint tests. There are failures which occur only in the encrypted case (not the signed case).

      Expected behaviour

      The tests should pass, and access tokens should be able to be revoked.

      Current behaviour

      The tests fail with a 500 error from AM.

      Code analysis

      org.forgerock.openam.oauth2.token.stateless.StatelessTokenStore#deleteAccessToken assumes that the JWT is receives is a SignedJwt. In the encrypted case it receives an EncryptedJwt, which then fails with a ClassCastException.

        Attachments

          Activity

            People

            • Assignee:
              emma.rumsey Emma Rumsey
              Reporter:
              emma.rumsey Emma Rumsey
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: